当前位置:网站首页>A mining of edu certificate station
A mining of edu certificate station
2022-07-04 23:10:00 【Hetian network security laboratory】
Preface
lately edusrc New certificate , This cannot be arranged for him .
Set goals
Information collection without words , Open it directly fofa, Use the syntax title="XXX university ", Found a system
See the login box , Maybe everyone will blow up the weak password first , Maybe my face is black , I have never been able to burst out in this way , So I prefer to test unauthorized access , Here I casually input an account number and password
Return to grab the return package of this interface , Back in the bag 500
Here I change it to 200 , Can enter the system , But there is no data information
And then I just F12 View the source code , Found a route ,/EmployeeManager, Splice it behind the website
visit
【---- Help network security learn , All the following learning materials are free ! Add weix:yj009991, remarks “ csdn ” obtain !】
① Thinking map of the growth path of Network Security Learning
② 60+ Network security classic common toolkit
③ 100+SRC Vulnerability analysis report
④ 150+ Network security attack and defense technology ebook
⑤ The most authoritative CISSP Certification test guide + Question bank
⑥ super 1800 page CTF Practical skills manual
Direct unauthorized access , Moderately dangerous , I originally wanted to submit it manually , But look at the certificate exchange conditions , Get two medium risks , It's not to embarrass me , There is no way to continue working overtime , So I used the user name and password I just got to log in
There is a personal commitment after logging in , You need to agree to the next step , Click OK to capture the package
The interface returns the user's ID card and password , And then EmployeeID=000005 Change to 000006
Another level of ultra vires , Leaked user sensitive information , Moderate risk should be stable , Then I noticed that this system distinguishes between the administrator and the ordinary user , A front-end can choose the role type to log in , Then I thought about whether I could log in with the account and password of ordinary users , Then exceed the authority of the administrator , Capture packets when logging in
Intercept the return packets of this interface
hold QX Change to administrator , And then put the bag
You can see that you have overstepped your authority and become an administrator
end
Are very conventional loopholes , The most important thing is to be careful .
More range experiments 、 Network security learning materials , Please click here >>https://www.hetianlab.com
边栏推荐
- [Taichi] change pbf2d (position based fluid simulation) of Taiji to pbf3d with minimal modification
- How can enterprises cross the digital divide? In cloud native 2.0
- 可观测|时序数据降采样在Prometheus实践复盘
- 【机器学习】手写数字识别
- P2181 对角线和P1030 [NOIP2001 普及组] 求先序排列
- Summary of wechat applet display style knowledge points
- Redis introduction complete tutorial: List explanation
- colResizable. JS auto adjust table width plug-in
- Attack and defense world misc advanced zone 2017_ Dating_ in_ Singapore
- Sword finger offer 65 Add without adding, subtracting, multiplying, dividing
猜你喜欢
【剑指offer】1-5题
Qt个人学习总结
A complete tutorial for getting started with redis: redis shell
[sword finger offer] questions 1-5
QT drawing network topology diagram (connecting database, recursive function, infinite drawing, dragging nodes)
PS style JS webpage graffiti board plug-in
Redis入门完整教程:有序集合详解
qt绘制网络拓补图(连接数据库,递归函数,无限绘制,可拖动节点)
【图论】拓扑排序
字体设计符号组合多功能微信小程序源码
随机推荐
Redis入门完整教程:初识Redis
Redis入门完整教程:键管理
[machine learning] handwritten digit recognition
A complete tutorial for getting started with redis: understanding and using APIs
Redis入门完整教程:API的理解和使用
Talk about Middleware
The difference between Max and greatest in SQL
Redis入门完整教程:慢查询分析
D3.js+Three. JS data visualization 3D Earth JS special effect
[sword finger offer] questions 1-5
Notepad++--编辑的技巧
Redis入门完整教程:Redis Shell
头文件重复定义问题解决“C1014错误“
机器学习在房屋价格预测上的应用
Servlet+JDBC+MySQL简单web练习
ffmpeg快速剪辑
Async await used in map
Duplicate ADMAS part name
刷题指南-public
Excel 快捷键-随时补充